A blind SQL injection vulnerability was discovered today in the popular WordPress SEO plugin by Yoast. WPScanVulnerability Database issued an advisory after responsibly disclosing the vulnerability to the plugin’s author:
The latest version at the time of writing (126.96.36.199) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.
The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.
Yoast was quick to respond with a patch and released version 1.7.4 with the following security fix:
Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.
Immediate Update Advised
Users running the most recent version are advised to update immediately. If you’re using Jetpack on all your sites, you can quickly update them by visiting: https://wordpress.com/plugins/wordpress-seo. There you will see all the sites where you have the plugin installed and can update from your centralized dashboard.
Hosting companies are scrambling to add a fix to protect customers. The Pressable status blog sent out an advisory on the vulnerability and is immediately updating installations where the plugin is active:
Our systems have already begun updating this plugin across all impacted sites on our systems, and we expect this process to be completed shortly.
SiteGround has added a temporary fix to tide customers over in the meantime before they have the chance to update. The company added new security rules to its WAF (web application firewall), which will actively filter any possible incoming hacking attempts that try to exploit the vulnerability.
— SiteGround (@SiteGround) March 11, 2015
WordPress SEO by Yoast is active on more than one million websites. While many hosts are being proactive about getting plugin updates to customers, most of the plugin’s users will not be able to rely on their host to take care of the update. Keeping your site safe from the vulnerability is as easy as logging in and updating to the latest version.
Update Joost de Valk published an update discussing the vulnerabilities and what is fixed.